Merge pull request #24 from c00kiemon5ter/feature-multiple-scopes

c00kiemon5ter · web-flow · commit 2014f2feec30 · 2019-01-17T11:04:49.000+02:00
Support for multiple scopes
diff --git a/setup.py b/setup.py
@@ -11,7 +11,7 @@
     author_email='satosa-dev@lists.sunet.se',
     description='OpenID Connect Provider (OP) library in Python.',
     install_requires=[
-        'oic<0.12',
+        'oic>0.13.1',
         'pymongo'
     ]
 )
diff --git a/src/pyop/provider.py b/src/pyop/provider.py
@@ -126,8 +126,9 @@ def parse_authentication_request(self, request_body, http_headers=None):
 
     def authorize(self, authentication_request,  # type: oic.oic.message.AuthorizationRequest
                   user_id,  # type: str
-                  extra_id_token_claims=None
+                  extra_id_token_claims=None,
                   # type: Optional[Union[Mapping[str, Union[str, List[str]]], Callable[[str, str], Mapping[str, Union[str, List[str]]]]]
+                  extra_scopes=None,
                   ):
         # type: (...) -> oic.oic.message.AuthorizationResponse
         """
@@ -166,7 +167,11 @@ def authorize(self, authentication_request,  # type: oic.oic.message.Authorizati
             if len(authentication_request['response_type']) == 1:
                 # only id token is issued -> no way of doing userinfo request, so include all claims in ID Token,
                 # even those requested by the scope parameter
-                requested_claims.update(scope2claims(authentication_request['scope']))
+                requested_claims.update(
+                    scope2claims(
+                        authentication_request['scope'], extra_scope_dict=extra_scopes
+                    )
+                )
 
             user_claims = self.userinfo.get_claims_for(user_id, requested_claims)
             response['id_token'] = self._create_signed_id_token(authentication_request['client_id'], sub,
@@ -340,7 +345,7 @@ def _do_code_exchange(self, request,  # type: Dict[str, str]
             raise InvalidTokenRequest(str(e), token_request) from e
 
         authentication_request = self.authz_state.get_authorization_request_for_code(token_request['code'])
-        
+
         if token_request['client_id'] != authentication_request['client_id']:
             logger.info('Authorization code \'%s\' belonging to \'%s\' was used by \'%s\'',
                         token_request['code'], authentication_request['client_id'], token_request['client_id'])
@@ -415,7 +420,7 @@ def _verify_client_authentication(self, request_body, http_headers=None):
         token_request['client_id']  = verify_client_authentication(self.clients, token_request, http_headers.get('Authorization'))
         return token_request
 
-    def handle_userinfo_request(self, request=None, http_headers=None):
+    def handle_userinfo_request(self, request=None, http_headers=None, extra_scopes=None):
         # type: (Optional[str], Optional[Mapping[str, str]]) -> oic.oic.message.OpenIDSchema
         """
         Handles a userinfo request.
@@ -433,7 +438,7 @@ def handle_userinfo_request(self, request=None, http_headers=None):
         scope = introspection['scope']
         user_id = self.authz_state.get_user_id_for_subject_identifier(introspection['sub'])
 
-        requested_claims = scope2claims(scope.split())
+        requested_claims = scope2claims(scope.split(), extra_scope_dict=extra_scopes)
         authentication_request = self.authz_state.get_authorization_request_for_access_token(bearer_token)
         requested_claims.update(self._get_requested_claims_in(authentication_request, 'userinfo'))
         user_claims = self.userinfo.get_claims_for(user_id, requested_claims)
diff --git a/tests/pyop/test_authz_state.py b/tests/pyop/test_authz_state.py
@@ -37,18 +37,18 @@ def authorization_state_factory(self):
     def authorization_state(self, authorization_state_factory):
         return authorization_state_factory(refresh_token_lifetime=3600)
 
-    def assert_access_token(self, access_token, access_token_db, iat):
+    def assert_access_token(self, authorization_request, access_token, access_token_db, iat):
         assert isinstance(access_token, AccessToken)
         assert access_token.expires_in == self.TEST_TOKEN_LIFETIME
         assert access_token.value
         assert access_token.BEARER_TOKEN_TYPE == 'Bearer'
 
         assert access_token.value in access_token_db
-        self.assert_introspected_token(access_token_db[access_token.value], access_token, iat)
+        self.assert_introspected_token(authorization_request, access_token_db[access_token.value], access_token, iat)
         assert access_token_db[access_token.value]['exp'] == iat + self.TEST_TOKEN_LIFETIME
 
-    def assert_introspected_token(self, token_introspection, access_token, iat):
-        auth_req = self.authorization_request().to_dict()
+    def assert_introspected_token(self, authorization_request, token_introspection, access_token, iat):
+        auth_req = authorization_request.to_dict()
 
         assert token_introspection['scope'] == auth_req['scope']
         assert token_introspection['client_id'] == auth_req['client_id']
@@ -91,7 +91,7 @@ def test_create_access_token(self, authorization_state_factory, authorization_re
         self.set_valid_subject_identifier(authorization_state)
 
         access_token = authorization_state.create_access_token(authorization_request, self.TEST_SUBJECT_IDENTIFIER)
-        self.assert_access_token(access_token, authorization_state.access_tokens, MOCK_TIME.return_value)
+        self.assert_access_token(authorization_request, access_token, authorization_state.access_tokens, MOCK_TIME.return_value)
 
     def test_create_access_token_with_scope_other_than_auth_req(self, authorization_state, authorization_request):
         scope = ['openid', 'extra']
@@ -115,7 +115,7 @@ def test_introspect_access_token(self, authorization_state_factory, authorizatio
         access_token = authorization_state.create_access_token(authorization_request, self.TEST_SUBJECT_IDENTIFIER)
         token_introspection = authorization_state.introspect_access_token(access_token.value)
         assert token_introspection['active'] is True
-        self.assert_introspected_token(token_introspection, access_token, MOCK_TIME.return_value)
+        self.assert_introspected_token(authorization_request, token_introspection, access_token, MOCK_TIME.return_value)
 
     def test_introspect_access_token_with_expired_token(self, authorization_state_factory, authorization_request):
         authorization_state = authorization_state_factory(access_token_lifetime=self.TEST_TOKEN_LIFETIME)
@@ -129,7 +129,7 @@ def test_introspect_access_token_with_expired_token(self, authorization_state_fa
         with patch('time.time', mock_time2):
             token_introspection = authorization_state.introspect_access_token(access_token.value)
         assert token_introspection['active'] is False
-        self.assert_introspected_token(token_introspection, access_token, MOCK_TIME.return_value)
+        self.assert_introspected_token(authorization_request, token_introspection, access_token, MOCK_TIME.return_value)
 
     @pytest.mark.parametrize('access_token', INVALID_INPUT)
     def test_introspect_access_token_with_invalid_access_token(self, access_token, authorization_state):
@@ -149,7 +149,7 @@ def test_exchange_code_for_token(self, authorization_state_factory, authorizatio
         authz_code = authorization_state.create_authorization_code(authorization_request, self.TEST_SUBJECT_IDENTIFIER)
         access_token = authorization_state.exchange_code_for_token(authz_code)
 
-        self.assert_access_token(access_token, authorization_state.access_tokens, MOCK_TIME.return_value)
+        self.assert_access_token(authorization_request, access_token, authorization_state.access_tokens, MOCK_TIME.return_value)
         assert authorization_state.authorization_codes[authz_code]['used'] == True
 
     def test_exchange_code_for_token_with_scope_other_than_auth_req(self, authorization_state,
@@ -248,7 +248,7 @@ def test_use_refresh_token(self, authorization_state_factory, authorization_requ
                authorization_state.access_tokens[old_access_token.value]['exp']
         assert authorization_state.access_tokens[new_access_token.value]['iat'] > \
                authorization_state.access_tokens[old_access_token.value]['iat']
-        self.assert_access_token(new_access_token, authorization_state.access_tokens, mock_time2.return_value)
+        self.assert_access_token(authorization_request, new_access_token, authorization_state.access_tokens, mock_time2.return_value)
 
         assert authorization_state.refresh_tokens[refresh_token]['access_token'] == new_access_token.value
 
@@ -430,4 +430,4 @@ def test_remove_state_for_subject_identifier(self, authorization_state, authoriz
 
     def test_remove_state_for_unknown_subject_identifier(self, authorization_state):
         with pytest.raises(InvalidSubjectIdentifier):
-            authorization_state.delete_state_for_subject_identifier('unknown')
+            authorization_state.delete_state_for_subject_identifier('unknown')
diff --git a/tests/test_requirements.txt b/tests/test_requirements.txt
@@ -1,2 +1,3 @@
-responses==0.5.1
-pycryptodomex
+pytest
+responses
+pycryptodomex
diff --git a/tox.ini b/tox.ini
@@ -2,6 +2,5 @@
 envlist = py34, py35
 
 [testenv]
-commands = py.test tests/
-deps = pytest
-       -rtests/test_requirements.txt
+commands = py.test -rs -vvv tests/
+deps = -rtests/test_requirements.txt

Original file line number	Diff line number	Diff line change
`@@ -11,7 +11,7 @@`
`11`	`11`	`author_email='satosa-dev@lists.sunet.se',`
`12`	`12`	`description='OpenID Connect Provider (OP) library in Python.',`
`13`	`13`	`install_requires=[`
`14`		`- 'oic<0.12',`
	`14`	`+ 'oic>0.13.1',`
`15`	`15`	`'pymongo'`
`16`	`16`	`]`
`17`	`17`	`)`